Archive for October, 2013

LiteSpeed Web Server – Privilege Escalation Vulnerability (R911-0084)

Thursday, October 31st, 2013

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: LiteSpeed Web Server
Website: http://www.litespeedtech.com
Vulnerable Version: 4.2.4
Fixed Version: 4.2.5
CVE:
R911: 0084
Date: 2013-10-31
By: Rack911

Product Description:

LiteSpeed Web Server (LSWS) is a high-performance Apache drop-in replacement. LSWS is the 4th most popular web server on the internet and the #1 commercial web server. Upgrading your web server to LiteSpeed Web Server will improve your performance and lower operating costs.

Vulnerability Description:

A privilege escalation is possible with LiteSpeed Web Server due to a poor choice of using /tmp to store Process ID information. When the web server is configured to run PHP without suEXEC, an attacker is able to write to the /tmp/lshttpd directory and use a carefully crafted exploit to obtain root access.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against LiteSpeed Web Server v4.2.4 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in LiteSpeed Web Server v4.2.5.

Vendor Contact Timeline:

2013-10-14: Vendor contacted via email.
2013-10-14: Vendor confirms vulnerability.
2013-10-30: Vendor issues update.
2013-10-31: Rack911 issues security advisory.

LiteSpeed Web Server – Symlink Race Condition Vulnerability (R911-0083)

Thursday, October 31st, 2013

Type: Symlink Race Condition
Location: Local
Impact: High
Product: LiteSpeed Web Server
Website: http://www.litespeedtech.com
Vulnerable Version: 4.2.4
Fixed Version: 4.2.5
CVE:
R911: 0083
Date: 2013-10-31
By: Rack911

Product Description:

LiteSpeed Web Server (LSWS) is a high-performance Apache drop-in replacement. LSWS is the 4th most popular web server on the internet and the #1 commercial web server. Upgrading your web server to LiteSpeed Web Server will improve your performance and lower operating costs.

Vulnerability Description:

A malicious user can perform a carefully crafted symlink attack against LiteSpeed Web Server to obtain any file belonging to other customers on the same server. Using our unique symlink attack defeats all protection in the LiteSpeed Web Server in a matter of seconds.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that other user files may be accessible.

Vulnerable Version:

This vulnerability was tested against LiteSpeed Web Server v4.2.4 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in LiteSpeed Web Server v4.2.5.

Vendor Contact Timeline:

2013-10-14 Vendor contacted via email.
2013-10-14: Vendor confirms vulnerability.
2013-10-30: Vendor issues update.
2013-10-31: Rack911 issues security advisory.

Installatron (DirectAdmin) – Privilege Escalation Vulnerability (R911-0082)

Friday, October 25th, 2013

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: Installatron
Website: http://www.installatron.com
Vulnerable Version: v9.0.3
Fixed Version: v9.0.4 and v8.0.16
CVE: -
R911: 0082
Date: 2013-10-25
By: Rack911

Product Description:

Installatron is a turn-key, state-of-the-art web application automation solution (also known as an auto installer or script installer) for web hosting control panel platforms.

Once installed on a control panel server, Installatron’s powerful, easy-to-use user-interface integrates seamlessly, enabling instant, one-click installs and upgrades, backups and restores, and other
advanced features for a premier collection of only the best applications on the web.

Vulnerability Description:

Installatron on DirectAdmin can use the system cURL binary that allows an attacker to manipulate the output using a malicious config file which could lead to a root compromise.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against Installatron v9.0.3 for DirectAdmin and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in Installatron v9.0.4 and 8.0.16.

Vendor Contact Timeline:

2013-10-21: Vendor contacted via email.
2013-10-21: Vendor confirms vulnerability.
2013-10-21: Vendor issues v9.0.4 and v8.0.16 update.
2013-10-25: Rack911 issues security advisory.

CloudFlare (cPanel) – Local Privilege Escalation Vulnerability (R911-0081)

Wednesday, October 23rd, 2013

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: CloudFlare (cPanel Plugin)
Website: http://www.cloudflare.com
Vulnerable Version: 4.2
Fixed Version: 4.5
CVE: -
R911: 0081
Date: 2013-10-22
By: Rack911

Product Description:

CloudFlare protects and accelerates any website online. Once your website is a part of the CloudFlare community, its web traffic is routed through our intelligent global network. We automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. We also block threats and limit abusive bots and crawlers from wasting your bandwidth and server resources. The result: CloudFlare-powered websites see a significant improvement in performance and a decrease in spam and other attacks.

Vulnerability Description:

There is a local privilege escalation flaw in CloudFlare’s cPanel Plugin that would allow an attacker to write to any file on the server leading to a root compromise.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against CloudFlare (cPanel Plugin) v4.2 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched CloudFlare (cPanel Plugin) v4.5.

Vendor Contact Timeline:

2013-10-18: Vendor contacted via email.
2013-10-18: Vendor confirms vulnerability.
2013-10-21: Vendor issues updates to all builds.
2013-10-22: Rack911 issues security advisory.

CloudFlare (cPanel) – Local Privilege Escalation Vulnerability (R911-0080)

Tuesday, October 15th, 2013

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: CloudFlare (cPanel Plugin)
Website: http://www.cloudflare.com
Vulnerable Version: 4.1
Fixed Version: 4.2
CVE: -
R911: 0080
Date: 2013-10-15
By: Rack911

Product Description:

CloudFlare protects and accelerates any website online. Once your website is a part of the CloudFlare community, its web traffic is routed through our intelligent global network. We automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. We also block threats and limit abusive bots and crawlers from wasting your bandwidth and server resources. The result: CloudFlare-powered websites see a significant improvement in performance and a decrease in spam and other attacks.

Vulnerability Description:

There is a local privilege escalation flaw in CloudFlare’s cPanel Plugin that would allow an attacker to write to any file on the server, ultimately leading to a root compromise.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against CloudFlare (cPanel Plugin) v4.1 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in CloudFlare (cPanel Plugin) v4.2.

Vendor Contact Timeline:

2013-09-30: Vendor contacted in person.
2013-09-30: Vendor confirms vulnerability.
2013-10-13: Vendor issues updates to all builds.
2013-10-15: Vendor + Rack911 issues security advisory.

SpamExperts (cPanel Plugin) – Local Privilege Escalation (R911-0079)

Friday, October 11th, 2013

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: SpamExperts (cPanel Plugin)
Website: http://www.spamexperts.com
Vulnerable Version: v3.0.58799
Fixed Version: v3.0.59056
CVE: -
R911: 0079
Date: 2013-10-11
By: Rack911

Product Description:

SpamExperts delivers managed email security in the cloud or on premises, tailored for webhosts: Incoming -, outgoing email filtering, and email archiving. Reduce churn, increase revenue, be 100% secure! Full API & standard integration and automation plugins for cPanel, Parallels products, DirectAdmin; Redundant, synchronized, and scalable; 4-Tier control panel; multi-level branding options; 24/7 support & SLAs; Fast release cycles and frequent updates!

Vulnerability Description:

There is a local privilege escalation flaw in SpamExpert’s cPanel Plugin that would allow an attacker to obtain root access.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that root access can be obtained.

Vulnerable Version:

This vulnerability was tested against SpamExpert’s cPanel Plugin v3.0.58799 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in SpamExpert’s cPanel Plugin vv3.0.59056.

Vendor Contact Timeline:

2013-10-01: Vendor contacted in person.
2013-10-01: Vendor confirms vulnerability.
2013-10-02: Vendor issues updates to all builds.
2013-10-11: Rack911 issues security advisory.

Idera Server Backup Manager (R1Soft) – Arbitrary File Access Vulnerability (R911-0073)

Tuesday, October 8th, 2013

Type: Arbitrary File Access
Location: Local
Impact: High
Product: Idera Server Backup Manager (R1Soft)
Website: http://www.idera.com
Vulnerable Version: 5.4.1 build 39
Fixed Version: 5.4.2 build 71
CVE:
R911: 0073
Date: 2013-10-08
By: Rack911

Product Description:

Idera Server Backup Manager is an affordable, high-performance, disk-to-disk backup software for Linux and Windows servers. (This software was previously more commonly known as R1Soft Backup.)

Vulnerability Description:

It is possible for an attacker to tamper with other user archive backups (*.tar.gz) on the server by manipulating the restore to agent feature.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any *.tar.gz archive on the server, including cPanel backups, can be modified.

Vulnerable Version:

This vulnerability was tested against Idera Server Backup Manager (R1Soft) v5.4.1 build 39 and is believed to exist in previous versions.

Fixed Version:

This vulnerability was patched in Idera Server Backup Manager (R1Soft) v5.4.2 build 71.

Vendor Contact Timeline:

2013-09-12: Vendor contacted via email.
2013-09-12: Vendor confirms vulnerability.
2013-10-08: Vendor issues update.
2013-10-08: Rack911 issues security advisory.

Idera Server Backup Manager (R1Soft) – Arbitrary File Access Vulnerability (R911-0072)

Tuesday, October 8th, 2013

Type: Arbitrary File Access
Location: Local
Impact: High
Product: Idera Server Backup Manager (R1Soft)
Website: http://www.idera.com
Vulnerable Version: 5.4.1 build 39
Fixed Version: 5.4.2 build 71
CVE:
R911: 0072
Date: 2013-10-08
By: Rack911

Product Description:

Idera Server Backup Manager is an affordable, high-performance, disk-to-disk backup software for Linux and Windows servers. (This software was previously more commonly known as R1Soft Backup.)

Vulnerability Description:

It is possible for an attacker to obtain any file on the server regardless of ownership when the next scheduled backup runs.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be obtained, including /etc/shadow.

Vulnerable Version:

This vulnerability was tested against Idera Server Backup Manager (R1Soft) v5.4.1 build 39 and is believed to exist in previous versions.

Fixed Version:

This vulnerability was patched in Idera Server Backup Manager (R1Soft) v5.4.2 build 71.

Vendor Contact Timeline:

2013-09-12: Vendor contacted via email.
2013-09-12: Vendor confirms vulnerability.
2013-10-08: Vendor issues update.
2013-10-08: Rack911 issues security advisory.

Idera Server Backup Manager (R1Soft) – Arbitrary File Overwrite Vulnerability (R911-0071)

Tuesday, October 8th, 2013

Type: Arbitrary File Overwrite
Location: Local
Impact: High
Product: Idera Server Backup Manager (R1Soft)
Website: http://www.idera.com
Vulnerable Version: 5.4.1 build 39
Fixed Version: 5.4.2 build 71
CVE:
R911: 0071
Date: 2013-10-08
By: Rack911

Product Description:

Idera Server Backup Manager is an affordable, high-performance, disk-to-disk backup software for Linux and Windows servers. (This software was previously more commonly known as R1Soft Backup.)

Vulnerability Description:

It is possible for an attacker to overwrite any file on the server regardless of ownership by providing a malicious restore directory via the Send to Agent feature.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that any file can be overwritten which could ultimately render a server inoperable.

Vulnerable Version:

This vulnerability was tested against Idera Server Backup Manager (R1Soft) v5.4.1 build 39 and is believed to exist in previous versions.

Fixed Version:

This vulnerability was patched in Idera Server Backup Manager (R1Soft) v5.4.2 build 71.

Vendor Contact Timeline:

2013-09-12: Vendor contacted via email.
2013-09-12: Vendor confirms vulnerability.
2013-10-08: Vendor issues update.
2013-10-08: Rack911 issues security advisory.

DirectAdmin – MySQL Local Privilege Escalation Vulnerability (R911-0078)

Monday, October 7th, 2013

Type: Privilege Escalation
Location: Local
Impact: Critical
Product: DirectAdmin
Website: http://www.directadmin.com
Vulnerable Version: v1.43
Fixed Version: v1.44
CVE: -
R911: 0078
Date: 2013-10-07
By: Rack911

Product Description:

DirectAdmin is a graphical web-based web hosting control panel designed to make administration of websites easier.

Vulnerability Description:

There is a flaw within the backup system that allows an attacker to rub arbitrary commands while restoring MySQL databases as root that could ultimately lead to a root compromise.

Proof of Concept:

Due to the nature of this security flaw, we will not be posting a Proof of Concept until a much later date.

Impact:

We have deemed this vulnerability to be rated as CRITICAL due to the fact that a normal user can gain an instant root shell.

Vulnerable Version:

This vulnerability was tested against DirectAdmin v1.43 and is believed to exist in all prior versions.

Fixed Version:

This vulnerability was patched in DirectAdmin v1.44.

Vendor Contact Timeline:

2013-06-22: Vendor contacted via email.
2013-06-22: Vendor confirms vulnerability.
2013-09-26: Vendor issues v1.44 update.
2013-10-07: Rack911 issues security advisory.